<?php
/*
    This "login" script is vulnerable to username enumeration attack.
*/
function authenticate($user, $password) {
    if (!user_exists($user)) {
        display_error('The username "' . htmlspecialchars ($user) . '" doesn\'t exist. Please check your input.');
        return false;
    }
    if (!check_password($user, $password)) {
        display_error("Invalid password for user " . htmlspecialchars ($user) . ". Please note that the password is case sensitive");
        return false;
    }
    return true;
}
?>
